Multilingual skimmer fingerprints 'secret shoppers' via Cloudflare endpoint API

Multilingual skimmer fingerprints ‘secret shoppers’ via Cloudflare endpoint API

One important aspect of data theft in criminal markets revolves around the authenticity of the data that is being resold. There are different services that exist to vet such things as credit card numbers so that buyers can purchase with confidence.

Criminals are also very aware that anyone and in particular security researchers may want to interfere with their operations. Filling up phishing pages with junk data is a sport of its own, although it may also be counterproductive at times. Using special cards for tracing purposes can also be used by defenders to follow the money.

We recently spotted a Magecart skimmer that collects the current victim’s IP address and browser user-agent in addition to their email, address, phone number and credit card data. Because the victim already filled in their home address, we believe this is a fingerprinting effort much like what is done in traditional malware campaigns.

Skimmer targets various geolocations

The skimmer uses iframes that are loaded if the current page is the checkout and if the browser’s local storage does not include a font item (this is equivalent to using cookies to detect returning visitors).

Figure 1: Skimmer checking for address bar and inserting iframe

The final rendering is identical to official payment platforms and does not give anything away:

Figure 2: Fake payment forms injected by skimmer

Fingerprinting via Cloudflare API

The underlying code will scrape everything from the customer’s contact and payment forms. This is something that is often overlooked when talking about digital skimmers but yet is extremely important. While financial institutions can reissue you a new card in the mail, the information the criminals have collected is equivalent to a data breach and can be reused for other types of fraud later on.

Figure 3: Skimmer data collection and fingerprinting

One thing we noticed that was a little unusual, is code that queries the legitimate Cloudflare endpoint API and parses out the results specifically for two things: the user’s current IP address and browser’s user-agent. A user-agent string might look something like this:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36

From this you can determine the user is running Windows 10 (64 bit version) with Chrome version 110.

Figure 4: Stolen data including IP address and user-agent string

It’s worth noting that this is done after credit card data has already been collected and not before. It is quite common to check the user-agent string upon visiting a web page to determine whether a particular victim fits the target profile or to adapt the content to a mobile or desktop experience.

Since the skimmer already grabbed the shopper’s city, postal code and country it’s unlikely that the IP address would be of much use beyond that. We believe the threat actors are likely collecting IP addresses and user-agent strings for quality checks and monitoring invalid users such as bots and security researchers.

Conclusion

We observe a number credit card skimmers targeting e-commerce platforms such as Magento and WordPress/WooCommerce. Online merchants need to be aware of this threat and take appropriate measures to not only be compliant but also to make it much harder to be compromised in the first place. Since we mentioned Cloudflare in this post, it’s worth noting that the company provides a service to businesses called Page Shield, that helps keep visitors safe through malicious third-party libraries.

We continue to track and report skimming infrastructure in order to protect our users via our Malwarebytes for consumers and businesses, as well as our Browser Guard extension.

Indicators of Compromise

gtag-analytics[.]com

gtag-analytics[.]com/analytics/15798/script.js?key=
gtag-analytics[.]com/analytics/18452/script.js?key=
gtag-analytics[.]com/analytics/25198/script.js?key=
gtag-analytics[.]com/analytics/31826/script.js?key=
gtag-analytics[.]com/analytics/32444/script.js?key=
gtag-analytics[.]com/analytics/34515/script.js?key=
gtag-analytics[.]com/analytics/65526/script.js?key=

gogletags[.]click

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher